From 94b3529eee7bb20f1b1539563f879848b9ebc2e6 Mon Sep 17 00:00:00 2001 From: linawolf <112@linawolf.de> Date: Thu, 16 Jun 2022 11:44:58 +0200 Subject: [PATCH] [DOCS] Document "Restrict export functionality" Add changelog entry to https://review.typo3.org/c/Packages/TYPO3.CMS/+/74902 - Restrict export functionality to allowed users Resolves: #97771 Releases: main, 11.5, 10.4 Change-Id: I98252b73aa5b14a8cfe5d26559711123e17ced15 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74976 Tested-by: core-ci <typo3@b13.com> Tested-by: Nikita Hovratov <nikita.h@live.de> Reviewed-by: Nikita Hovratov <nikita.h@live.de> --- ...trictExportFunctionalityToAllowedUsers.rst | 53 +++++++++++++++++++ ...trictExportFunctionalityToAllowedUsers.rst | 53 +++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 typo3/sysext/core/Documentation/Changelog/10.4.x/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst create mode 100644 typo3/sysext/core/Documentation/Changelog/11.5.x/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst diff --git a/typo3/sysext/core/Documentation/Changelog/10.4.x/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst b/typo3/sysext/core/Documentation/Changelog/10.4.x/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst new file mode 100644 index 000000000000..eedbe719fe4c --- /dev/null +++ b/typo3/sysext/core/Documentation/Changelog/10.4.x/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst @@ -0,0 +1,53 @@ +.. include:: /Includes.rst.txt + +.. _important-94951-1655368664: + +=================================================================== +Important: #94951 - Restrict export functionality to allowed users +=================================================================== + +See :issue:`94951` + +.. important:: + This change was introduced as part of the + `TYPO3 11.5.11 and 10.4.29 security release <https://typo3.org/security/advisory/typo3-core-sa-2022-001>`__. + +Description +=========== + +The export functionality has the following security drawbacks: + +* Export for editors is not limited on field level +* The :guilabel:`Save to filename` functionality saves to a shared folder, + which other editors with different access rights may have access to. + +Both issues are not easy to resolve and also the target +audience for the Import/Export functionality are mainly +TYPO3 admins. + +Impact +====== + +The export functionality is restricted +to TYPO3 admin users and to users, who explicitly have +access through the new user TSConfig setting +:typoscript:`options.impexp.enableExportForNonAdminUser`. + +Affected installations +====================== + +Installations with EXT:impexp installed where non-admin users need to use the +export functionality. + +Migration +========= + +If non-admin users should be able to use the export tool, set the +following user TSconfig: + +.. code-block:: typoscript + :caption: EXT:my_sitepackage/Configuration/TSconfig/allusers.tsconfig + + options.impexp.enableExportForNonAdminUser = 1 + +.. index:: Backend, TSConfig, NotScanned, ext:impexp diff --git a/typo3/sysext/core/Documentation/Changelog/11.5.x/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst b/typo3/sysext/core/Documentation/Changelog/11.5.x/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst new file mode 100644 index 000000000000..2596e9a25432 --- /dev/null +++ b/typo3/sysext/core/Documentation/Changelog/11.5.x/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst @@ -0,0 +1,53 @@ +.. include:: /Includes.rst.txt + +.. _important-94951-1655368665: + +=================================================================== +Important: #94951 - Restrict export functionality to allowed users +=================================================================== + +See :issue:`94951` + +.. important:: + This change was introduced as part of the + `TYPO3 11.5.11 and 10.4.29 security release <https://typo3.org/security/advisory/typo3-core-sa-2022-001>`__. + +Description +=========== + +The export functionality has the following security drawbacks: + +* Export for editors is not limited on field level +* The :guilabel:`Save to filename` functionality saves to a shared folder, + which other editors with different access rights may have access to. + +Both issues are not easy to resolve and also the target +audience for the Import/Export functionality are mainly +TYPO3 admins. + +Impact +====== + +The export functionality is restricted +to TYPO3 admin users and to users, who explicitly have +access through the new user TSConfig setting +:typoscript:`options.impexp.enableExportForNonAdminUser`. + +Affected installations +====================== + +Installations with EXT:impexp installed where non-admin users need to use the +export functionality. + +Migration +========= + +If non-admin users should be able to use the export tool, set the +following user TSconfig: + +.. code-block:: typoscript + :caption: EXT:my_sitepackage/Configuration/TSconfig/allusers.tsconfig + + options.impexp.enableExportForNonAdminUser = 1 + +.. index:: Backend, TSConfig, NotScanned, ext:impexp -- GitLab